Well, I know that the CA changes in Chrome when I access Gmail and I do get a warning notification of that, although it wasn't installed on the system at that time (if I choose to continue anyway).
On Android, however, I do not see the certificate installed. So, does that mean that Gmail traffic is not being intercepted? --------- Robert Dailey On Tue, Jun 18, 2013 at 12:50 PM, Brian Carlstrom <[email protected]> wrote: > Presumably they perform MITM by installing a CA controlled by proxy on > your system. > > -bri > > On Tue, Jun 18, 2013 at 10:05 AM, Robert Dailey <[email protected]> > wrote: > > Could you explain a bit better? I asked my IT department, and they said > they > > do monitor gmail traffic on Android. However, he could have been lying or > > just making a blanket statement. I figured out that they are using > "BlueCoat > > ProxySG" to perform MITM on web-gmail, but I'm not familiar enough with > > Android to understand why this also isn't being done on Gmail app for > > Android. Is Android more secure because it has the trusted credentials? > I'm > > assuming those are all known and accepted root certificates, so if they > did > > indeed try to MITM gmail on Android, then the root would change and thus, > > I'd hope Gmail would fail to accept it or something of that sort. > > > > > > --------- > > Robert Dailey > > > > > > On Tue, Jun 18, 2013 at 11:54 AM, Brian Carlstrom <[email protected]> > wrote: > >> > >> On Tue, Jun 18, 2013 at 8:52 AM, Jeffrey Walton <[email protected]> > >> wrote: > >> > On Mon, Jun 17, 2013 at 2:09 PM, Robert Dailey <[email protected]> > >> > wrote: > >> >> Is it possible for MITM to occur for traffic on the Android Gmail > >> >> client > >> >> when connected to a Wifi network > >> > Yes, its possible. > >> > >> Not unless a system CA has been compromised (which could then be > >> disabled in Settings > Security > Trusted Credentials) or a user CA > >> has been installed (which could be uninstalled from the same location) > >> > >> -bri > >> > >> > > >> >> If so, how can I verify whether or not my > >> >> SSL certificate has been compromised for Gmail? > >> > Pin the server's certificate or public key. > >> > https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning. > >> > > >> > If you are dealing with a browser-based app, then you are out of luck. > >> > Javascript, WebSockets, WebCrypto and other components in the stack > >> > don't make the required connection information available. In this > >> > case, you need to write a hybrid app or native app. Many people don't > >> > want to hear their browser-based app can't handle a particular data > >> > sensitivity level, and it usually goes over like a turd in a punch > >> > bowl. > >> > > >> > Not all apps need to pin. If the app is dealing with throwaway, low > >> > value data, then it does not matter - browser-based apps are fine. For > >> > medium value (for example, an organization's Single Sign On password) > >> > and high value data (such as information covered under US Federal > >> > law), then you probably can't use a browser-based app. > >> > > >> > In the future, sites (servers) will [likely] be able to ask the > >> > browser (clients) to pin certificates via > >> > https://tools.ietf.org/id/draft-ietf-websec-key-pinning-05.txt. > >> > However, there is no guarantee a client will perform a pin in the > >> > absence of a server's request. > >> > > >> > Jeff > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups "Android Security Discussions" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an email to [email protected]. > >> > To post to this group, send email to > >> > [email protected]. > >> > Visit this group at > >> > http://groups.google.com/group/android-security-discuss. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
